Bump the npm-minor-patch group across 1 directory with 8 updates

[dependabot]

Bumps the npm-minor-patch group with 8 updates in the /frontend directory:

Package	From	To
dompurify	3.4.2	3.4.8
marked	18.0.3	18.0.5
plotly.js-dist-min	3.5.1	3.6.0
@playwright/test	1.59.1	1.60.0
svelte	5.55.5	5.56.2
svelte-check	4.4.8	4.6.0
vite	8.0.11	8.0.16
vitest	4.1.5	4.1.8

Updates dompurify from 3.4.2 to 3.4.8

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Commits

• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• See full diff in compare view

Updates marked from 18.0.3 to 18.0.5

Release notes

Sourced from marked's releases.

v18.0.5

18.0.5 (2026-06-04)

Bug Fixes

• parse empty list item with trailing space (#3984) (b55410f)

v18.0.4

18.0.4 (2026-05-19)

Bug Fixes

• cache list indentation regexes (#3969) (a37983f)
• fix cli not reading stdin (#3967) (11adb69)

Commits

• 4063c63 chore(release): 18.0.5 [skip ci]
• b55410f fix: parse empty list item with trailing space (#3984)
• c6e667b chore(deps-dev): bump eslint from 10.4.0 to 10.4.1 (#3986)
• 95f98ec chore(deps-dev): bump @​arethetypeswrong/cli from 0.18.2 to 0.18.3 (#3985)
• c1a86f0 Add Node.js usage example to README (#3983)
• 763f729 chore(deps-dev): bump marked-man from 2.1.0 to 2.1.1 (#3978)
• 2cf1fd0 chore(deps-dev): bump markdown-it from 14.1.1 to 14.2.0 (#3977)
• 0a2cd54 chore(release): 18.0.4 [skip ci]
• 11adb69 fix: fix cli not reading stdin (#3967)
• a37983f fix: cache list indentation regexes (#3969)
• Additional commits viewable in compare view

Updates plotly.js-dist-min from 3.5.1 to 3.6.0

Release notes

Sourced from plotly.js-dist-min's releases.

v3.6.0

Added

• Add support for arrays for the pie property legendrank, so that it can be configured per slice [#7723], with thanks to @​my-tien for the contribution!
• Add hoversort layout attribute to sort unified hover label items by value [#7734], with thanks to @​kimsehwan96 for the contribution!

Fixed

• Fix unexpected ticklabelindex behavior when minor ticks are not shown [#7735], with thanks to @​my-tien for the contribution!
• Fix issue where hoveranywhere / clickanywhere would not emit hover and click events over editable shapes [#7788]
• Handle 'pixel' size mode for shape labels [#7790]
• Update box plot defaults to fix issue with calling Plotly.react to switch from box to violin plot [#7811]
• Include shapes with legendgroup specified when handling legend visibility toggling [#7813]

Full Changelog: plotly/plotly.js@v3.5.1...v3.6.0

Changelog

Sourced from plotly.js-dist-min's changelog.

[3.6.0] -- 2026-06-01

Added

• Add support for arrays for the pie property legendrank, so that it can be configured per slice [#7723], with thanks to @​my-tien for the contribution!
• Add hoversort layout attribute to sort unified hover label items by value [#7734], with thanks to @​kimsehwan96 for the contribution!

Fixed

• Fix unexpected ticklabelindex behavior when minor ticks are not shown [#7735], with thanks to @​my-tien for the contribution!
• Fix issue where hoveranywhere / clickanywhere would not emit hover and click events over editable shapes [#7788]
• Handle 'pixel' size mode for shape labels [#7790]
• Update box plot defaults to fix issue with calling Plotly.react to switch from box to violin plot [#7811]
• Include shapes with legendgroup specified when handling legend visibility toggling [#7813]

Commits

• ca26165 3.6.0
• 966b223 updates for release v3.6.0
• 067ce36 Merge pull request #7814 from plotly/fix-typo-in-upload-dev-build
• 856b506 Fix typo in property name
• 21ce92b Merge pull request #7811 from plotly/cam/7791/box-to-violin-plot-fix
• dbefbad Merge pull request #7813 from plotly/cam/6771/fix-legendgroup-toggling-shapes
• 76296e8 Add draftlog
• c1b147f Add test
• 1a08754 Include shapes with legendgroup when handling legend click
• 61b8186 Linting/formatting
• Additional commits viewable in compare view

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates svelte from 5.55.5 to 5.56.2

Release notes

Sourced from svelte's releases.

svelte@5.56.2

Patch Changes

• fix: properly track effect end node for async sibling component (#18371)

• fix: prevent false-positive reactivity loss warning (#18373)

• chore: bump esrap dependency (#18372)

• fix: ignore declaration tags for animation directive (#18366)

• fix: reject pending async deriveds on discard (#18308)

svelte@5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

svelte@5.56.0

Minor Changes

• feat: allow declarations in the template (#18282)

Patch Changes

• perf: use createElement instead of createElementNS for HTML elements (#18262)

• perf: store current_sources as a Set for O(1) membership checks (#18278)

• perf: deduplicate identical hoisted templates within a component (#18320)

• perf: hoist rest_props exclude list as a module-scope Set (#18252)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.56.2

Patch Changes

• fix: properly track effect end node for async sibling component (#18371)

• fix: prevent false-positive reactivity loss warning (#18373)

• chore: bump esrap dependency (#18372)

• fix: ignore declaration tags for animation directive (#18366)

• fix: reject pending async deriveds on discard (#18308)

5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

5.56.0

Minor Changes

• feat: allow declarations in the template (#18282)

Patch Changes

• perf: use createElement instead of createElementNS for HTML elements (#18262)

• perf: store current_sources as a Set for O(1) membership checks (#18278)

... (truncated)

Commits

• 51baf1c Version Packages (#18357)
• 3d5c4ab fix: prevent false-positive reactivity loss warning (#18373)
• bdb1a0f fix: ensure async block assigns correct nodes to effect (#18371)
• e4bfc5f chore: bump esrap dependency (#18372)
• 1b4c43b fix: ignore declaration tags for animation directive (#18366)
• 85dcb91 chore: upgrade to vitest v4 (#18265)
• a81f965 fix: reject pending async deriveds on discard (#18308)
• 3ef761b Version Packages (#18346)
• 5b8db1b fix: error at compile time on duplicate snippet/declaration tag definitions (...
• 56013a2 fix: check references for blockers on server, too (#18352)
• Additional commits viewable in compare view

Updates svelte-check from 4.4.8 to 4.6.0

Release notes

Sourced from svelte-check's releases.

svelte-check@4.6.0

Minor Changes

• feat: support reading Svelte config from vite.config.js/ts (#3031)

Patch Changes

• Updated dependencies [151cf45]:
  • @​sveltejs/load-config@​0.1.1

svelte-check@4.5.0

Minor Changes

• feat: support Svelte 5 declaration tags (#3033)

Patch Changes

• fix: properly handle props with the name slot inside Svelte 5 snippets (#3030)

• feat: add support for svelte config ts/mts files (#3009)

Commits

• 20d5ab2 Version Packages (#3040)
• 0ecf6c3 fix: adjust rollup config (#3047)
• 151cf45 fix: adjust paths in PKG.json (#3046)
• 6099462 chore: fix changeset (#3045)
• 5b13da1 feat: support reading Svelte config from vite.config.js/ts (#3031)
• f2bcbda fix: mark optional members with a trailing ? in completion labels (#3043) (#3...
• e5ed88f fix: don't show type inlay hint for component inside snippets (#3041)
• b118dd3 fix: correct 'occured' typo in svelte:boundary onerror description (#3039)
• 67fbcae Version Packages (#3018)
• 3474048 fix(emitDts): drop declarations emitted outside declarationDir (#2965)
• Additional commits viewable in compare view

Updates vite from 8.0.11 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Updates vitest from 4.1.5 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.